fix(logout): drive portal-host prefix from required SMB_NAME env#11
Closed
awais786 wants to merge 1 commit into
Closed
fix(logout): drive portal-host prefix from required SMB_NAME env#11awais786 wants to merge 1 commit into
awais786 wants to merge 1 commit into
Conversation
The logout redirect hardcoded "moneta." as the portal-host prefix in auth-utils.ts (PR #10's quick fix for the foss → moneta cutover). Both "foss." and "moneta." silently break the next domain move. Make the prefix env-driven via a required SMB_NAME var (no default — docker-entrypoint.js exits non-zero at startup if the backend AUTH_TYPE is SSO and SMB_NAME is unset, instead of silently rendering the wrong portal host at logout). Plumbed via the same Pattern B2 mechanism as every other NEXT_PUBLIC_* var: - Dockerfile: ARG/ENV NEXT_PUBLIC_SMB_NAME=__NEXT_PUBLIC_SMB_NAME__ - docker-entrypoint.js: substitutes from process.env.SMB_NAME - auth-utils.ts: reads process.env.NEXT_PUBLIC_SMB_NAME!.trim() Container env name (SMB_NAME) is uniform across every devstack app behind ForwardAuth. See sso-rules RULES.md section 1 Logout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
"moneta."as the portal-host prefix atsurfsense_web/lib/auth-utils.ts:244(PR use moneta instead of foss in logout #10 was the first cutover from"foss."). Both forms silently break the next domain move.SMB_NAMEenv var (no default —docker-entrypoint.jsexits non-zero at startup ifNEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=SSOandSMB_NAMEis unset).NEXT_PUBLIC_*var: Dockerfile bakes the__NEXT_PUBLIC_SMB_NAME__placeholder;docker-entrypoint.jssubstitutesprocess.env.SMB_NAMEat startup.Why
Hardcoded prefixes silently break domain cutovers. Container env name (
SMB_NAME) is uniform across every devstack app behind ForwardAuth — see sso-rules RULES.md §1 Logout.Files changed
surfsense_web/Dockerfile—ARG/ENVforNEXT_PUBLIC_SMB_NAME=__NEXT_PUBLIC_SMB_NAME__surfsense_web/docker-entrypoint.js— fail-fast SSO check + substitutionsurfsense_web/lib/auth-utils.ts— readprocess.env.NEXT_PUBLIC_SMB_NAME!.trim()at logoutsurfsense_web/.env.example— document the varTest plan
--build-arg NEXT_PUBLIC_SMB_NAME=__NEXT_PUBLIC_SMB_NAME__(default); deploy withSMB_NAME=moneta+NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=SSO; verify logout lands onmoneta.<domain>SMB_NAMEwith SSO; verify the container fails to start with a clear error messageSMB_NAMEwithout SSO; verify startup still succeeds (logout path not exercised)🤖 Generated with Claude Code